Watching the Matrix

Among the many geek themes of the original Matrix movie is the character Tank sitting at a bank of monitors, looking for trouble on cameras and viewing the streaming green characters of the Matrix. If he glances away for a minute he risks missing something. For years after, as a consultant traveling from client to client I saw the green Matrix screen everywhere, either as someone’s desktop wallpaper or as their screensaver. It was a bit of a geek-badge I saw wherever I went.

I don’t know about you, but as a security practitioner I don’t want Tank’s job. I simply have better things to do than to manually process a seemingly overwhelming volume of stream data to try to assess what is a real threat and what is background or a false positive. The industry is full of tools that create mountains of data and alerts: Security Information and Event Management (SIEM), IDS/IPS, next-gen firewalls, and endpoint-based solutions such as Host-based Intrusion Detection and Endpoint Detection and Response. While these tools solve certain problems and are key parts of the broad information security solution, they create a Matrix-like problem of data overload and false positives. The main reason for this is that they either can’t be or are incredibly difficult to tailor and tune to an individual environment.

In our work here at VDX we have helped a large number of customers deploy the Enterprise Mobility Suite (EMS) – which I discuss here - to provide a layered protection of organizational data. At the core of the solution is protection of cloud identity. Microsoft has recently added an additional method of identity protection called Advanced Threat Analytics (ATA) that is aimed at identifying attacks against the on-premises user identity. It is now bundled with EMS, but is also now a part of the Enterprise Cloud Suite (ECS) and a coupe other of their licensing models.

ATA uses behavioral analytics combined with known attack detection. What does that mean? First behavioral analytics. It utilizes machine learning to look at how a user typically interacts with its environment at the identity level. So not only logins, but also the devices the authentication requests come from, when and where they come from, concurrent logins, and requests for resources such as file shares. It does this by looking at how that user identity and devices are interacting with Active Directory. It then builds an Organizational Security Graph, and maintains and updates it over time. This graph is the profile of what “normal” is, in the context that “normal” can change over time. By learning what is the “normal” behavior it is then able to alert when it sees something “abnormal.”

So when it watches me it doesn’t alarm when it sees concurrent logins from the same set of multiple devices in the same geography, because that happens all of the time with me. But it would flag my identity interaction as abnormal if the concurrent logins were suddenly from new devices in Russia, the UK, India, and Brazil. Or if my identity was requesting access from one internal VDX resource to another (something called “lateral movement” and probably worthy of its own blog post). ATA would then correlate the abnormal behavior that it is seeing in my identity with other interactions. For example, if my identity is attempting lateral movement from SystemA to SystemB, and there were additional abnormal identity or access requests coming from SystemA from other accounts, this increases the likelihood and risk that an attack is underway. Finally, ATA profiles the behavior it is seeing against known attacks such as Pass-the-Ticket (PtT), Pass-the-Hash (PtH), Forged PAC (MS14-068), Golden Ticket, and many other authentication and authorization-based attacks. The end result is that the possible event will be deeply correlated before the alert is raised.

ATA is a welcome, on-premises addition to the identity protection available in the cloud through EMS. It is definitely worth a look as part of an overall security solution and as a way of quieting down the Matrix-like stream of alerts that you are faced with now. Microsoft has put a lot of information up at the ATA landing page, or contact VDX and we’ll help you take a closer look. And stop trying to do Tank’s job – you have much better things to do with your time.